1a84c6cbc60ee850423b99017642dca9b630f416
[samba.git] / source3 / utils / net_domain.c
1 /* 
2    Samba Unix/Linux SMB client library 
3    net ads commands
4    Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5    Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6    Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7    Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
8    Copyright (C) 2008 Guenther Deschner (gd@samba.org)
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.  
22 */
23
24 #include "includes.h"
25 #include "utils/net.h"
26
27 /* Macro for checking RPC error codes to make things more readable */
28
29 #define CHECK_RPC_ERR(rpc, msg) \
30         if (!NT_STATUS_IS_OK(result = rpc)) { \
31                 DEBUG(0, (msg ": %s\n", nt_errstr(result))); \
32                 goto done; \
33         }
34
35 #define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \
36         if (!NT_STATUS_IS_OK(result = rpc)) { \
37                 DEBUG(0, debug_args); \
38                 goto done; \
39         }
40
41 /*******************************************************************
42  Leave an AD domain.  Windows XP disables the machine account.
43  We'll try the same.  The old code would do an LDAP delete.
44  That only worked using the machine creds because added the machine
45  with full control to the computer object's ACL.
46 *******************************************************************/
47
48 NTSTATUS netdom_leave_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli, 
49                          DOM_SID *dom_sid )
50 {       
51         struct rpc_pipe_client *pipe_hnd = NULL;
52         POLICY_HND sam_pol, domain_pol, user_pol;
53         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
54         char *acct_name;
55         uint32 user_rid;
56         struct lsa_String lsa_acct_name;
57         struct samr_Ids user_rids;
58         struct samr_Ids name_types;
59         union samr_UserInfo *info = NULL;
60
61         /* Open the domain */
62         
63         if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status)) == NULL ) {
64                 DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
65                         nt_errstr(status) ));
66                 return status;
67         }
68
69         status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
70                                       pipe_hnd->cli->desthost,
71                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
72                                       &sam_pol);
73         if ( !NT_STATUS_IS_OK(status) )
74                 return status;
75
76
77         status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
78                                         &sam_pol,
79                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
80                                         dom_sid,
81                                         &domain_pol);
82         if ( !NT_STATUS_IS_OK(status) )
83                 return status;
84
85         /* Create domain user */
86         
87         acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname()); 
88         strlower_m(acct_name);
89
90         init_lsa_String(&lsa_acct_name, acct_name);
91
92         status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
93                                          &domain_pol,
94                                          1,
95                                          &lsa_acct_name,
96                                          &user_rids,
97                                          &name_types);
98         if ( !NT_STATUS_IS_OK(status) )
99                 return status;
100
101         if ( name_types.ids[0] != SID_NAME_USER) {
102                 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
103                 return NT_STATUS_INVALID_WORKSTATION;
104         }
105
106         user_rid = user_rids.ids[0];
107                 
108         /* Open handle on user */
109
110         status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
111                                       &domain_pol,
112                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
113                                       user_rid,
114                                       &user_pol);
115         if ( !NT_STATUS_IS_OK(status) ) {
116                 goto done;
117         }
118         
119         /* Get user info */
120
121         status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
122                                            &user_pol,
123                                            16,
124                                            &info);
125         if ( !NT_STATUS_IS_OK(status) ) {
126                 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
127                 goto done;
128         }
129
130         /* now disable and setuser info */
131
132         info->info16.acct_flags |= ACB_DISABLED;
133
134         status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
135                                          &user_pol,
136                                          16,
137                                          info);
138
139         rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
140
141 done:
142         rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
143         rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
144         
145         cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
146         
147         return status;
148 }
149
150 /*******************************************************************
151  Store the machine password and domain SID
152  ********************************************************************/
153
154 int netdom_store_machine_account( const char *domain, DOM_SID *sid, const char *pw )
155 {
156         if (!secrets_store_domain_sid(domain, sid)) {
157                 DEBUG(1,("Failed to save domain sid\n"));
158                 return -1;
159         }
160
161         if (!secrets_store_machine_password(pw, domain, SEC_CHAN_WKSTA)) {
162                 DEBUG(1,("Failed to save machine password\n"));
163                 return -1;
164         }
165
166         return 0;
167 }
168
169 /*******************************************************************
170  ********************************************************************/
171
172 NTSTATUS netdom_get_domain_sid( TALLOC_CTX *mem_ctx, struct cli_state *cli, 
173                                 const char **domain, DOM_SID **sid )
174 {
175         struct rpc_pipe_client *pipe_hnd = NULL;
176         POLICY_HND lsa_pol;
177         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
178         union lsa_PolicyInformation *info = NULL;
179
180         if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status)) == NULL ) {
181                 DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
182                         nt_errstr(status) ));
183                 return status;
184         }
185
186         status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
187                         SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
188         if ( !NT_STATUS_IS_OK(status) )
189                 return status;
190
191         status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
192                                             &lsa_pol,
193                                             LSA_POLICY_INFO_ACCOUNT_DOMAIN,
194                                             &info);
195         if ( !NT_STATUS_IS_OK(status) )
196                 return status;
197
198         *domain = info->account_domain.name.string;
199         *sid = info->account_domain.sid;
200
201         rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
202         cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
203
204         /* Bail out if domain didn't get set. */
205         if (!domain) {
206                 DEBUG(0, ("Could not get domain name.\n"));
207                 return NT_STATUS_UNSUCCESSFUL;
208         }
209         
210         return NT_STATUS_OK;
211 }
212
213 /*******************************************************************
214  Do the domain join
215  ********************************************************************/
216  
217 NTSTATUS netdom_join_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli, 
218                            DOM_SID *dom_sid, const char *clear_pw,
219                            enum netdom_domain_t dom_type )
220 {       
221         struct rpc_pipe_client *pipe_hnd = NULL;
222         POLICY_HND sam_pol, domain_pol, user_pol;
223         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
224         char *acct_name;
225         struct lsa_String lsa_acct_name;
226         uint32 user_rid;
227         uint32 acb_info = ACB_WSTRUST;
228         uint32 acct_flags;
229         uchar pwbuf[532];
230         struct MD5Context md5ctx;
231         uchar md5buffer[16];
232         DATA_BLOB digested_session_key;
233         uchar md4_trust_password[16];
234         uint32_t access_granted = 0;
235         struct samr_Ids user_rids;
236         struct samr_Ids name_types;
237         union samr_UserInfo info;
238
239         /* Open the domain */
240         
241         if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status)) == NULL ) {
242                 DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
243                         nt_errstr(status) ));
244                 return status;
245         }
246
247         status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
248                                       pipe_hnd->cli->desthost,
249                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
250                                       &sam_pol);
251         if ( !NT_STATUS_IS_OK(status) )
252                 return status;
253
254
255         status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
256                                         &sam_pol,
257                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
258                                         dom_sid,
259                                         &domain_pol);
260         if ( !NT_STATUS_IS_OK(status) )
261                 return status;
262
263         /* Create domain user */
264         
265         acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname()); 
266         strlower_m(acct_name);
267
268         init_lsa_String(&lsa_acct_name, acct_name);
269
270         /* Don't try to set any acb_info flags other than ACB_WSTRUST */
271         acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
272                      SEC_STD_WRITE_DAC | SEC_STD_DELETE |
273                      SAMR_USER_ACCESS_SET_PASSWORD |
274                      SAMR_USER_ACCESS_GET_ATTRIBUTES |
275                      SAMR_USER_ACCESS_SET_ATTRIBUTES;
276
277         DEBUG(10, ("Creating account with flags: %d\n",acct_flags));
278
279         status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
280                                          &domain_pol,
281                                          &lsa_acct_name,
282                                          acb_info,
283                                          acct_flags,
284                                          &user_pol,
285                                          &access_granted,
286                                          &user_rid);
287
288         if ( !NT_STATUS_IS_OK(status) 
289                 && !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) 
290         {
291                 d_fprintf(stderr, "Creation of workstation account failed\n");
292
293                 /* If NT_STATUS_ACCESS_DENIED then we have a valid
294                    username/password combo but the user does not have
295                    administrator access. */
296
297                 if (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED))
298                         d_fprintf(stderr, "User specified does not have administrator privileges\n");
299
300                 return status;
301         }
302
303         /* We *must* do this.... don't ask... */
304
305         if (NT_STATUS_IS_OK(status)) {
306                 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
307         }
308
309         status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
310                                          &domain_pol,
311                                          1,
312                                          &lsa_acct_name,
313                                          &user_rids,
314                                          &name_types);
315         if ( !NT_STATUS_IS_OK(status) )
316                 return status;
317
318         if ( name_types.ids[0] != SID_NAME_USER) {
319                 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
320                 return NT_STATUS_INVALID_WORKSTATION;
321         }
322
323         user_rid = user_rids.ids[0];
324                 
325         /* Open handle on user */
326
327         status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
328                                       &domain_pol,
329                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
330                                       user_rid,
331                                       &user_pol);
332         if (!NT_STATUS_IS_OK(status)) {
333                 return status;
334         }
335         
336         /* Create a random machine account password and generate the hash */
337
338         E_md4hash(clear_pw, md4_trust_password);
339         encode_pw_buffer(pwbuf, clear_pw, STR_UNICODE);
340         
341         generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
342         digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
343         
344         MD5Init(&md5ctx);
345         MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
346         MD5Update(&md5ctx, cli->user_session_key.data, cli->user_session_key.length);
347         MD5Final(digested_session_key.data, &md5ctx);
348         
349         SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
350         memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
351
352         /* Fill in the additional account flags now */
353
354         acb_info |= ACB_PWNOEXP;
355         if ( dom_type == ND_TYPE_AD ) {
356 #if !defined(ENCTYPE_ARCFOUR_HMAC)
357                 acb_info |= ACB_USE_DES_KEY_ONLY;
358 #endif
359                 ;;
360         }
361
362         /* Set password and account flags on machine account */
363         ZERO_STRUCT(info.info25);
364         info.info25.info.fields_present = ACCT_NT_PWD_SET |
365                                           ACCT_LM_PWD_SET |
366                                           SAMR_FIELD_ACCT_FLAGS;
367         info.info25.info.acct_flags = acb_info;
368         memcpy(&info.info25.password.data, pwbuf, sizeof(pwbuf));
369
370
371         status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
372                                          &user_pol,
373                                          25,
374                                          &info);
375
376         if ( !NT_STATUS_IS_OK(status) ) {
377                 d_fprintf( stderr, "Failed to set password for machine account (%s)\n", 
378                         nt_errstr(status));
379                 return status;
380         }
381
382         rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
383         cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
384         
385         return status;
386 }
387